Critical vulnerabilities in the CocoaPods dependency manager could have allowed threat actors to take over thousands of orphaned packages, execute shell commands, and take over accounts, potentially impacting millions of iOS and macOS applications, red teaming firm EVA Information Security reports.
CocoaPods, an open source dependency manager for Swift and Objective-C Cocoa projects, has more than 100,000 libraries, and is used by over three million applications across the Apple ecosystem.
In 2014, CocoaPods migrated to a Trunk server acting as a centralized repository and distribution platform, a process that left thousands of orphaned packages, as authorship was reset for all pods and for many the previous owner was not known.
While Podspec authors were asked to claim ownership of pods and retain control over them, 1,866 packages, including many that are widely used in other libraries, remain orphaned.
What EVA discovered was that all pods that had never been claimed were automatically associated with a default owner using the same email address, and that the public API for claiming ownership was still available, essentially allowing anyone to claim the pods as their own.
An attacker could exploit the vulnerability – tracked as CVE-2024-38368 (CVSS score of 9.9) – to take over known orphaned pods and modify their contents or replace it with malicious code.
“We found mentions of orphaned pods in the documentation or terms of service documents of applications provided by Meta (Facebook, WhatsApp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more. Overall, we found 685 pods that had an explicit dependency using an orphaned pod,” EVA notes.
The second vulnerability, tracked as CVE-2024-38366 (CVSS score of 9.0), is a remote code execution bug in the authentication server for CocoaPods, which executes a shell command to validate the email domain when a developer registers as a pod owner.
“This lookup could be manipulated to also execute a command on the trunk server, effectively giving root access to the server and the infrastructure,” the NIST advisory reads.
According to EVA, vulnerable methods used by the RFC822 during the email verification process allow the attacker to inject a bash command that will be executed on the Trunk server. An attacker could exploit this insecure email verification workflow to manipulate or replace packages being downloaded.
“If an unauthorized threat actor compromises the server, they could potentially dump all pod owners’ session tokens, poison client’s traffic or even shut down the server completely,” EVA notes.
The third vulnerability, tracked as CVE-2024-38367 (CVSS score of 8.0), is also related to the authentication process, allowing an attacker to hijack a pod owner’s session and take over the CocoaPods trunk account.
CocoaPods authenticates new devices by creating a session that becomes valid only after the owner visits a link that the Trunk server generates and sends to the email address provided by the client when requesting the session.
EVA noticed that an attacker could spoof the X-Forwarded-Host (XFH) header used for identification and that the server would use the spoofed header to construct the URL sent via email. The URL could lead users to third-party websites that could steal their session cookies.
By having the session validation link sent automatically to their server, the attacker could then escalate this to a zero-click attack.
“By spoofing an HTTP header and taking advantage of misconfigured email security tools, attackers could execute a zero-click attack that grants them access to a developer’s account verification token. This would allow attackers to change packages on the CocoaPods server and result in supply chain and zero-day attacks,” EVA explains.
As for the number of impacted applications and devices, the security firm noted that “a significant percentage of the Swift and Objective-C application ecosystem (including iOS, macOS, and other Apple device software) was susceptible to supply chain and zero-click attacks, with an estimated range of thousands to millions of apps.”
“Downstream dependencies could mean that thousands of applications and millions of devices were exposed over the last few years,” it added.
CocoaPods addressed these vulnerabilities server-side in September and October 2023 and exploitation is no longer possible.
“The worst-case scenario is that an attacker could have used this technique to get access to our trunk database. The table of information in the database which should not be seen are session keys. These keys act like unique passwords to accounts, and session keys are used to connect authenticated users to pods. We are wiping all session keys, which ensures no-one other than those with access to their emails can post updates to those pods,” CocoaPods said at the time.
Related: Easily Exploitable Critical Vulnerabilities Found in Open Source AI/ML Tools
Related: Vulnerability in CocoaPods Dependency Manager Exposed Millions of Apps
Related: OWASP SwSec 5D Tool Provides SDLC Maturity Ratings, Aids Software Supply Chain
Related: Supply Chain Attack Technique Spoofs GitHub Commit Metadata
